Named Pipe Security Questions...

Named Pipe Security Questions...

Post by Dwayne Park » Fri, 14 Aug 1998 04:00:00



I have a (possibly simple) question about security issues with named pipes
under Windows NT.  Here is the scenario:

---

NT Service(running under User A context):  Creates named pipe (and several
synchronization objects).  It acts as a named pipe server...

NT Application(under User B context):  This program attempts to connect via
the pipe but fails with a error #5  (Access Denied) every time.

---

The very same code running as two separate applications (same user context)
works fine.  But one as a service and... no go.  Both named pipe and synchro
objects give the above message.

This code is written in VB with Win32 API wrapper functions and that makes
things a bit tricky at times, but I feel that the issue is most likely in
the security attributes of the named pipe (same thing for the synchro
objects...).  Does this sound likely?  Any suggestions?  Since this is
written in VB I would like to avoid the security APIs as they deal with
structures, etc. which can be messy to deal with from within VB and I'm also
not that familiar with them.  But if I must...

Right now I'm using a NULL for the security attribute parameter in the named
pipe and synchro API calls.  I can provide code snippets if necessary...

Thanks in advance for any assistance.

--
- Dwayne Parks, CMIS

 
 
 

Named Pipe Security Questions...

Post by Felix Kasza [MV » Sat, 15 Aug 1998 04:00:00


Dwayne,

 > Right now I'm using a NULL for the security attribute
 > parameter in the named pipe and synchro API calls.

To make that pipe accessible to world:

        Create a SECURITY_DESCRIPTOR
        call InitializeSecurityDescriptor() on it
        set a NULL DACL with
                SetSecurityDescriptorDacl( pSD, TRUE, NULL, FALSE )
        plug the SD into your SECURITY_ATTRIBUTES

--

Cheers,

Felix.

If you post a reply, kindly refrain from emailing it, too.

No anti-spam address here. Just one comment: IN YOUR FACE!

 
 
 

1. Connecting to a named pipe created by a higher security process (how?)

Greetings:

Under NT4 SP2 I have a DLL that's loaded by a service. The DLL creates a

thread that creates a server-side named pipe. I wish to use this named

pipe as the method that other processes use to communicate with this

DLL.

When a process calls WaitNamedPipe, the pipe is located and an instance

is available. But when CreateFile is called it fails and GetLastError

returns ERROR_ACCESS_DENIED.

The problem is that my process (an MS-DOS console program or VB4 app) is

running at a lower security level than the service, and does not have

explicit permission to connect to the named pipe. I have played around

with the SECURITY_ATTRIBUTES of both CreateFile (client side) and

CreateNamedPipe (server side), but cannot get CreateFile to succeed.

How do I allow processes of a lesser security to connect to the pipe?

Or how do I bump the security level of my process up to that of the

service?

Thanks in advance.

--

James D. Murray  PO Box 70             Tel: +1.714.288.0141


Maintainer of the Graphics File Formats FAQ on comp.graphics.misc and

coauthor of the O'Reilly book "Encyclopedia of Graphics File Formats".

2. open other applications in the background

3. Named pipe security under ISAPI

4. The Pepsi Syndrome and data recovery (Re: OS for Apple //)

5. Named pipe security

6. Problem putting HP7570A plotter on INDIGO 2 workstation

7. Security and named pipes

8. Frontpage 2000 Hoover buttons

9. Connecting to a named pipe created by a higher security process

10. NT named pipe security

11. Help with named pipe reconnect losing TX of the pipe, RX still works

12. IPC and Named Pipe Question

13. Named Pipe questions